Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume IX - Issue #89

November 09, 2007

Help with a SANS research project: SANS is preparing a report on the most important federal initiatives that can be proven to have significantly reduced national vulnerability to cyber attacks, prevented those attacks, and/or minimized the damage from those attacks. If you know of any initiatives that meet those criteria, send us your recommendation (apaller@sans.org) and we'll include you in this project so you can review the others that have been recommended. Your name will not be disclosed unless you ask. Deadline, Tuesday, Nov. 13.

The top two eDiscovery folks in the country will provide a two hour briefing on the key elements of e-Discovery that every security practitioner needs in order to protect his or her organization. This session is free for everyone attending courses at SANS CDI 2007 (ten phenomenal hands-on, immersion security courses - see http://www.sans.org/info/14231). We have about 40 open places for others who cannot attend CDI but want to attend the eDiscovery mini-course.

How Many Machines on Your Network are Infected with Malware? Imagine a new hybrid technology that merges the 'system cleaning' properties of traditional antispyware products with the efficiency of powerful antivirus-based technology. It's available with Sunbelt Counterspy Enterprise.

TOP OF THE NEWS

White House Requests US $154 Million for Cyber Security Spending (November 6, 2007)

The Bush administration has requested US $154 million in funding for new cyber security programs. The bulk of that money, US $115 million, would be put toward enhancing the deployment of the Einstein program through the US Computer Emergency Readiness Team. The Einstein program "monitors about 13 participating agencies' network gateways for traffic patterns that indicate the presence of" malware. US $39 million would go to the Department of Justice "to help the FBI investigate incursions into federal networks, increase intelligence analysis and provide technical tools for investigations and analysis." -http://www.fcw.com/online/news/150721-1.html?type=pf

Members of the House Foreign Affairs Committee harshly criticized Yahoo! executives for omitting information about providing user data to Chinese officials. Journalist Shi Tao was put in jail after information provided by Yahoo! helped authorities in China identify him. Yahoo! executive VP and general counsel Michael Callahan initially told the House panel that he did not know why Chinese authorities wanted the information. Later it became clear that there were documents in Yahoo!'s possession indicating that the identifying information was sought because of "suspected illegal provision of state secrets." The panel said that Yahoo! had been "inexcusably negligent" and "deceptive." -http://news.bbc.co.uk/2/hi/technology/7081458.stm-http://www.vnunet.com/vnunet/news/2202927/congress-savages-yahoo-china************************* Sponsored Links: ***************************

One year ago, former DuPont scientist Gary Min pleaded guilty to theft of trade secrets. A US District Court judge has now sentenced Min to 18 months in prison and ordered him to pay US $14,500 in restitution and a US $30,000 fine. DuPont became suspicious of Min's motives when they realized that he was the second most active user of the company's database. In the second half of 2005, Min accessed approximately 38,000 documents and scientific abstracts with the intent of giving the information to a Dupont rival where he was going to work. Min apparently also uploaded some DuPont documents to the laptop provided to him by his new employer. -http://www.scmagazineus.com/Former-DuPont-scientist-gets-18-months-in-jail-to-close-out-400-million-corporate-espionage-case/article/96290/-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=202804057[Editor's Note (Paller) Data leakage protection (DLP) tools have matured to the point where 84% of large organizations are using them, or plan to deploy them in the next eight months, to try to stop this type of attack. Many of the pioneering users of data leakage protection are coming together in Orlando in early December to share the lessons they have learned about which products to deploy and how to manage them. More at -http://www.sans.org/info/15921 . (Cole): As attacks become more damaging, organizations need to focus on preventive rather than reactive security measures. Instead of just detecting that Mr. Min was the second most active user, why did they not block or stop the access to information he did not need to perform his job. If Mr. Min was less aggressive with the amount of information he was taking, so that he was not in the top 5 down loaders, he probably would not have been caught. Two promising practices for dealing with this problem are data classification and least privilege through role based access control. Unless organizations control and stop the downloading of documents, this problem will continue to grow. ]

Arrest in Italian Spying and Wiretapping Case (November 6 & 8, 2007)

Police in Milan, Italy have arrested Roberto Preatoni, one of the founders of the WabiSabiLabi and Zone-h, in connection with a spying case involving Telecom Italia. He has been charged with unauthorized access to computer systems and wiretapping. Preatoni is one of several security consultants who, when hired to conduct penetration testing for Telecom Italia, allegedly used malware and wiretapping methods to spy on the chief executive of Brasil Telecom, the investigation agency Kroll, and several journalists. -http://www.channelregister.co.uk/2007/11/08/telecom_italia_spying_probe_latest/print.html-http://www.techworld.com/security/news/index.cfm?newsID=10565[Editor's Note (Skoudis): Every organization that utilizes penetration testing services, either those offered by outside consultants or inside employees, must clearly spell out the rules of engagement in advance. These rules should indicate whether any tools can be installed on target systems (such as sniffers or backdoors). They should also rule out the installation of rootkits for the vast majority of tests. (Schultz): This incident highlights the need to do a much more thorough background check of third-parties hired to conduct penetration testing (as well as third parties hired to do other information security-related tasks) than is typically currently done. ]

Former DOD Employee Pleads Guilty to Wire Fraud (November 6, 2007)

A former US Department of Defense (DOD) civilian employee could face up to 20 years in prison for manipulating a pay-processing computer system to defraud the government of US $700,000. Lilia Delgadillo and co-conspirator Granados devised a scheme to enter phony pay adjustments that caused funds to be wired into Delgadillo's bank account. Delgadillo has pleaded guilty to wire fraud; Granados has already pleaded guilty to wire fraud in September. Delgadillo could also face a fine of up to US $250,000. In June, a California Army National Guard member pleaded guilty to one count of wire fraud and one count of conspiracy in a separate but similar case. -http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9045758&source=NLT_SEC&nlid=38

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Warner Bros., Paramount Pictures, and Dreamworks, a Paramount affiliate, have reached an agreement that will allow Paramount and Dreamworks to sell DVDs through Warner's established outlets in China. The move is aimed at combating movie piracy in China, where illegal copies of new release movies are often available for less than a dollar just days after their American theatrical releases. The three studios plan to have legitimate copies of movies in the China stores two months after their release; they will be priced at US $3. Chinese authorities have increased the penalties for piracy and are stepping up enforcement. -http://www.smh.com.au/news/Technology/US-Studios-in-China-AntiPiracy-Deal/2007/11/08/1194329326190.html

Microsoft has signed an agreement with Chinese computer maker Founder Technology Group Corp. that will have Windows pre-installed on the company's PCs. The move is an effort to fight software piracy, which is rampant in China (As is movie piracy, as the previous story shows.). An estimated 82 percent of software used in China last year was pirated; the average for the Asian region is 55 percent. Other Microsoft products will be available for sale in Founder stores throughout China. Microsoft reached a similar agreement with Lenovo, the number one Chinese PC maker, last March. -http://www.smh.com.au/news/Technology/Microsoft-Makes-AntiPiracy-Move/2007/11/07/1194329313778.html#

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Salesforce.com customers are at risk of receiving phishing and other ill-intentioned email after a salesforce.com employee was tricked by a phishing scam into revealing a company password that allowed the attacker access to the customer database. Customers have reported receiving phony Salesforce.com invoices. Salesforce.com counts several banks among its customers. -http://www.networkworld.com/news/2007/110607-salesforcecom-falls-for-phishing-scam.html?nltxsec=1105securityalert3&code=nlsecuritynewsal107645-http://blog.washingtonpost.com/securityfix/2007/11/salesforcecom_acknowledges_dat.html-http://news.zdnet.co.uk/security/0,1000000189,39290616,00.htm?r=1[Editor's Note (Honan): The increasing uptake of Software As A Service solutions is not going unnoticed by criminal elements. Criminals recognize that SaaS companies are very attractive targets due to the nature of the sensitive data they store on behalf of their customers. If your company decides to implement SaaS solutions make sure your SLA covers items such as breach notification, contact details for the provider's security personnel and joint incident response processes. (Ullrich): Finally they are revealing the real problem. This drama is dragging on much longer then it had to; makes you wonder whether proper incident handling procedures were followed. Sometimes it's too easy to accept the "convenient answer" only to find out that the right answer will be much less convenient the longer it remains covered up. ]

Track and monitor all access to network resources and cardholder data. It seems simple enough, but PCI requirement 10 can often get organizations into audit trouble. Your customers' card data gets stored, processed and transmitted at many other points besides devices on your corporate network. Log data from all these points needs to be collected and managed to build a strong foundation for your PCI compliance program. Do you even know where this data resides?

This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

Traditional defenses have proven to be less than effective at protecting your data where it lives - your valuable databases and applications. Although network and host-based security technologies can detect and prevent many common attacks, they often miss more sophisticated penetration attempts such as electronic fraud, insider theft and sabotage, and unauthorized access.

How deep can traffic inspection reach without hindering data flow and how much data should it store for post-mortem analysis? Join this Webcast to hear senior SANS Analyst Jerry Shenk go over his test results on the NetDectector/NetVCR 2005 and features such as full packet inspection and the ability to call up and review raw data in its native format.

Dr. Cole will present new penetration testing technology that lets you to see your web applications from an attacker's perspective.=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/